by James Habben
You have all run into this dreaded case, I’m sure. Maybe a few times. I am talking about that case where you are asked to prove or disprove a given action of a user, but the evidence just doesn’t give in. You poke, you prod, you turn it inside-out. Nothing you do seems to be getting you any closer to a conclusion. These are the cases that haunt me for a long time. I still have some rumbling around in my head from over 10 years ago.
Should I have eaten that entire tub of ice cream with gummy bear and potato chip toppings while pulling my hair out and questioning my mere existence?
I tend to form an attachment to my cases. Maybe you do to? I take it on as a personal challenge. A challenge to prove that I am capable. A challenge to learn something new. A challenge to use a new tool, or an old tool in a new way. A challenge to take a step towards being a better investigator.
When I run into these cases that present no artifacts of activity, I end up spending a ton more time on them. I try to find something in the obscure areas. Sometimes it works and my perseverance pays off. I finally find that one little hint, and it unravels the rest of my case. I put that hint into my bank of things to look for in the future, and I have just improved my skills as an investigator.
Other times, I have to give in and say “uncle”. Because of the attachment I form with the case, it can sometimes drag me down. It feels like a failure to me. I should be able to find something, even the tiniest thing, which can give some kind of hint. But when have I spent enough time on it?
There is a phrase that has been passed around the DFIR circles for many years. As much as it may seem, it didn’t start in our industry. It is a logic based thought and is discussed in probability as a way of forming a hypothesis. Fortunately, it fits for us too, so here it is:
The absence of evidence is not evidence of absence
In the original context, the usage of the word evidence is referring to an event. We base our investigations on the existence of an artifact on disk as a result of a user action (event). If artifact X exists in this data, then event Y must have taken place on this computer. It is a very sound approach, and one that many investigators use, digital or not. The finding of that artifact allows us to build a case with a reasonable certainty about the actions taken on this computer. We can’t always extend that onto the person on the opposite side of the table from us, but that is a whole ‘nother topic.
If we scour the drive and find that it is lacking evidence of artifact X, does that mean that event Y did not take place on this computer? Of course not! Because of the intimate knowledge we, as forensic experts, have about the programs and systems of computers, we could perform any number of actions and wipe the disk of any artifacts, if given enough time. In that scenario, event Y did happen. We know because we carried out the actions ourselves. Looking back at our phrase, we find it to ring pretty true.
This is what makes our investigations so difficult. Science is able to say things so simply: If x then y; if !y then !x. We cannot use this logic structure because there are too many variables at play. The courts accept our tools and findings based on them being a scientific process, but some argue that digital forensics is not a science while others say it is a combination of art and science. No matter what your opinion is, we can agree on the phrase I highlighted above. Just because I don’t find a deleted file, it doesn’t mean that file didn’t exist.
How far, then, do you go? How much time do you spend?
Some of you may have the luxury of spending as much time on a case as you need in order to be satisfied with the conclusion. Most of you, however, have someone
asking telling you when you will have this case wrapped up.
I used to have more freedom in the time I spent on my cases. It’s not my decision anymore. I have someone paying for every hour I put into my cases, and that can get expensive. I absolutely am doing my best to find even the tiniest little artifact and I am determined to break the case open. My investigation is a direct cost, though. They will get an invoice. The invoice will get passed around to various departments as it gets processed. My forensic report will get passed around various departments as well. Some of those departments will be analyzing the cost of getting this report. If my report cost them $50,000 and simply says ‘no findings’, you can bet there will be some unhappy people.
So, how much time do you spend?
My approach to this, in both past and present, is to take the burden of cost off of my shoulders. When a case is starting to head towards the dreaded ‘no findings’, I start preparing myself for it. In preparing, I start documenting my actions instead of just my findings. I prepare to deliver the bad news of ‘no findings’ to the person requesting the case.
When I get to a point of being comfortable with having exhausted all reasonable artifacts, I present my work to the customer. I take a different approach because I don’t have a list of artifacts proving the case. I explain that I don’t have any findings yet. Then I spend some time in education with the customer. I explain the standard processes that we use in forensics. I explain the approach that I have taken and the reasons behind it. I want to make sure the customer understands that they are paying for the work I am doing and not just the result. I want them to feel good about spending the money, and that they are also getting a very thorough review of the evidence.
Then, I give the options. I explain the techniques that I feel might give results, and I am honest about my expectations. I don’t ever want a customer to come back to me, unhappy, because I talked them into paying for a technique that didn’t pan out. This usually results in the customer having an internal chat about moving forward. Sometimes they really want that forensic answer, but other times they are satisfied with knowing the proposed scenario of the case was highly improbable based on the lack of evidence to support that the actions were performed. It’s a balance of cost vs benefit.
This is the hardest part for me. If the customer decides that the ‘no findings’ are enough, then I have to move on. There are more cases lined up and waiting for my time. I want resolution in every case, but it just isn’t reasonable. I can only do my best with the time that I am allowed.
Finding no evidence of a proposed action does not make you a substandard examiner. If you can stand up proud with your report in your hand, then you have done all you can. If you can defend your findings to other examiners who constructively ask if you tried technique A or technique B, then you have proven your skills.
Be proud of your work!